authorisation
Security pattern for implementing access control and authorization. Use when designing permission systems, implementing RBAC/ABAC, preventing unauthorized access, addressing privilege escalation, or ensuring users can only perform allowed actions on permitted resources. Addresses "Entity performs disallowed action" problem.
Security pattern for implementing access control and authorization. Use when designing permission systems, implementing RBAC/ABAC, preventing unauthorized access, addressing privilege escalation, or ensuring users can only perform allowed actions on permitted resources. Addresses "Entity performs disallowed action" problem.
Authorisation Security Pattern
Ensures entities can only perform actions they are permitted to perform on resources they are permitted to access. Prevents privilege escalation and unauthorized access.
Problem Addressed
Entity performs disallowed action: An unprivileged user performs actions reserved for administrators, accesses other users' data, or manipulates resources beyond their permissions.
Examples:
- User changes another customer's account details
- Unprivileged entity performs admin operations
- Attacker accesses internal documents by guessing identifiers
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Subject | Entity | Requests actions on resources |
| System | Entity | Manages protected resources |
| Enforcer | Enforcement Point | Intercepts requests, enforces decisions |
| Decider | Decision Point | Makes allow/deny decisions |
| Policy Provider | Information Point | Manages access control rules |
Data Elements
- action: Operation Subject wants to perform
- principal: Authenticated identity of Subject
- actionId: Identifier for the action type
- objectId: Identifier for the target resource
- privileges: Permissions granted to principal
Authorisation Flow
Subject → [action(principal)] → Enforcer
Enforcer → [authorise(principal, actionId, objectId)] → Decider
Decider → [get_privileges(principal)] → Policy Provider
Policy Provider → [privileges] → Decider
Decider → [allowed/denied] → Enforcer
Enforcer → [action] → System (if allowed)
→ [error] → Subject (if denied)
- Subject (with established principal) requests action
- Enforcer intercepts and extracts actionId, objectId
- Decider queries Policy Provider for privileges
- Decider evaluates request against privileges
- If allowed: forward to System
- If denied: return error to Subject
Critical Considerations
Authorise After Authentication
- Enforcer must only process authenticated requests
- Principal must be established before authorization
- Combine with Authentication pattern
Default Deny
- Deny all requests unless explicitly allowed
- Policy should grant permissions, not revoke them
- Missing rule = denied
Object-Level Authorization (IDOR Prevention)
Critical: Always check both:
- Can principal perform this ACTION type?
- Can principal access this specific OBJECT?
Failing to check objectId leads to Insecure Direct Object Reference (IDOR) vulnerabilities.
Complete Mediation
- Check EVERY request
- No bypass paths
- Enforcer must be unavoidable
Policy Integrity
- Protect policy from unauthorized modification
- Policy changes = security-sensitive operations
- Audit policy modifications
Resource Concerns
- Enforcer/Decider on every request path
- Potential performance bottleneck
- Potential DoS target
- Consider caching, rate limiting
Authorization Models
Role-Based Access Control (RBAC)
Principal → Roles → Permissions
- Assign roles to users
- Assign permissions to roles
- Check if principal's roles include required permission
Attribute-Based Access Control (ABAC)
if (subject.dept == resource.dept AND
subject.clearance >= resource.classification)
then allow
- Evaluate attributes of subject, resource, environment
- Flexible policy expressions
Access Control Lists (ACL)
Resource → [allowed principals/operations]
- Per-resource permission lists
- Direct mapping of who can do what
Implementation Checklist
- [ ] Authentication precedes authorization
- [ ] Default deny policy
- [ ] Action-level authorization check
- [ ] Object-level authorization check (IDOR prevention)
- [ ] Enforcer cannot be bypassed
- [ ] Policy protected from tampering
- [ ] Policy changes audited
- [ ] Consistent error messages (no information leakage)
- [ ] Rate limiting on authorization endpoints
Error Handling
Return consistent errors:
- Don't reveal whether resource exists
- Don't reveal why authorization failed specifically
- Log details server-side, return generic errors to client
Related Patterns
- Authentication (establishes principal)
- Session-based access control (combines both)
- Log entity actions (audit trail)
- Limit request rate (DoS protection)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/
- OWASP Authorization Cheat Sheet
- OWASP IDOR Prevention
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline